| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJuCfpECC9w6RdfbH34Y906uV=egUDct=6H54Xn79okKK80cjw@mail.gmail.com>
Date: Thu, 7 Aug 2025 19:48:40 +0000
From: Suren Baghdasaryan <surenb@...gle.com>
To: David Hildenbrand <david@...hat.com>
Cc: akpm@...ux-foundation.org, peterx@...hat.com, aarcange@...hat.com,
lokeshgidra@...gle.com, linux-mm@...ck.org, linux-kernel@...r.kernel.org,
syzbot+b446dbe27035ef6bd6c2@...kaller.appspotmail.com, stable@...r.kernel.org
Subject: Re: [PATCH v4 1/1] userfaultfd: fix a crash in UFFDIO_MOVE when PMD
is a migration entry
On Thu, Aug 7, 2025 at 7:42 PM David Hildenbrand <david@...hat.com> wrote:
>
> On 07.08.25 17:27, Suren Baghdasaryan wrote:
> > On Thu, Aug 7, 2025 at 3:31 AM David Hildenbrand <david@...hat.com> wrote:
> >>
> >> On 07.08.25 00:00, Suren Baghdasaryan wrote:
> >>> When UFFDIO_MOVE encounters a migration PMD entry, it proceeds with
> >>> obtaining a folio and accessing it even though the entry is swp_entry_t.
> >>> Add the missing check and let split_huge_pmd() handle migration entries.
> >>>
> >>> Fixes: adef440691ba ("userfaultfd: UFFDIO_MOVE uABI")
> >>> Reported-by: syzbot+b446dbe27035ef6bd6c2@...kaller.appspotmail.com
> >>> Closes: https://lore.kernel.org/all/68794b5c.a70a0220.693ce.0050.GAE@google.com/
> >>> Signed-off-by: Suren Baghdasaryan <surenb@...gle.com>
> >>> Reviewed-by: Peter Xu <peterx@...hat.com>
> >>> Cc: stable@...r.kernel.org
> >>> ---
> >>> Changes since v3 [1]
> >>> - Updated the title and changelog, per Peter Xu
> >>> - Added Reviewed-by: per Peter Xu
> >>>
> >>> [1] https://lore.kernel.org/all/20250806154015.769024-1-surenb@google.com/
> >>>
> >>> mm/userfaultfd.c | 17 ++++++++++-------
> >>> 1 file changed, 10 insertions(+), 7 deletions(-)
> >>>
> >>> diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
> >>> index 5431c9dd7fd7..116481606be8 100644
> >>> --- a/mm/userfaultfd.c
> >>> +++ b/mm/userfaultfd.c
> >>> @@ -1826,13 +1826,16 @@ ssize_t move_pages(struct userfaultfd_ctx *ctx, unsigned long dst_start,
> >>> /* Check if we can move the pmd without splitting it. */
> >>> if (move_splits_huge_pmd(dst_addr, src_addr, src_start + len) ||
> >>> !pmd_none(dst_pmdval)) {
> >>> - struct folio *folio = pmd_folio(*src_pmd);
> >>> -
> >>> - if (!folio || (!is_huge_zero_folio(folio) &&
> >>> - !PageAnonExclusive(&folio->page))) {
> >>> - spin_unlock(ptl);
> >>> - err = -EBUSY;
> >>> - break;
> >>> + /* Can be a migration entry */
> >>> + if (pmd_present(*src_pmd)) {
> >>> + struct folio *folio = pmd_folio(*src_pmd);
> >>> +
> >>> + if (!folio
> >>
> >>
> >> How could you get !folio here? That only makes sense when calling
> >> vm_normal_folio_pmd(), no?
> >
> > Yes, I think you are right, this check is not needed. I can fold it
> > into this fix or post a separate cleanup patch. I'm guessing a
> > separate patch would be better?
>
> I think you can just post a fixup inline here and ask Andrew to squash
> it. He will shout if he wants a completely new version :)
I wouldn't do that to him! :)
Let me quickly send an updated version instead.
>
> --
> Cheers,
>
> David / dhildenb
>
Powered by blists - more mailing lists